Skip to content
.ca
sign in
7 mincritical

EDR killers explained: Beyond the drivers

Ransomware affiliates increasingly rely on EDR killers—ranging from BYOVD exploits and abused anti-rootkits to driverless tools—to disrupt security solutions prior to deploying encryptors. This approach allows encryptors to remain simple while the EDR killers handle complex defense evasion, complicating attribution and defense strategies.

Sens:ImmediateConf:highAnalyzed:2026-03-19reports

Authors: ESET Research

ActorsRansomHubEmbargoDeadLockWarlockMontiLockBitDire WolfQilinAkiraGentlemenRansomHouseMedusaDragonForceBlackSuitCrytoxMedusaLockerMustang Panda
Defense EvasionEDR KillerBYOVDRansomware

Source:ESET

IOCs · 8

Key Takeaways

  • EDR killers are a fundamental part of modern ransomware intrusions, allowing attackers to disrupt security solutions rather than modifying encryptors to evade detection.
  • Affiliates, not RaaS operators, typically select and deploy EDR killers, leading to high tooling diversity across intrusions.
  • Driver-based attribution is often misleading because the same vulnerable driver is reused across unrelated tools, and tools frequently swap drivers.
  • The EDR killer landscape includes BYOVD exploits, legitimate anti-rootkits (e.g., GMER), driverless tools (e.g., EDRSilencer), and custom scripts.
  • Commercial 'EDR killer as a service' offerings are growing, incorporating advanced evasion techniques like packing, encrypted payloads, and potentially AI-assisted code generation.

Affected Systems

  • Windows
  • Endpoint Detection and Response (EDR) solutions
  • Antivirus (AV) solutions

Vulnerabilities (CVEs)

  • CVE-2024-51324

Attack Chain

Attackers gain high privileges on a victim's machine and deploy an EDR killer to neutralize security software. They may use BYOVD techniques to load a vulnerable driver, abuse legitimate anti-rootkit tools, or use driverless methods to suspend or block EDR telemetry. Once the security controls are disabled or blinded, the attackers deploy and execute the ransomware encryptor without interference.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but mentions that a comprehensive list of IoCs and samples can be found in the ESET GitHub repository.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can see the initial deployment and driver loading attempts, but if the EDR killer successfully exploits a driver or blocks telemetry, visibility is lost immediately prior to encryption. Network Visibility: Low — EDR killers operate locally on the endpoint to terminate processes or block local telemetry; network activity is minimal unless downloading the driver/tool. Detection Difficulty: Hard — Attackers use legitimate, signed drivers (BYOVD) and commercial packers, making signature-based detection difficult. Driverless tools and rapid tool switching further complicate detection.

Required Log Sources

  • Event ID 7045 (Service Creation)
  • Event ID 4688 (Process Creation)
  • Event ID 4656 (Handle to Object Requested)
  • Sysmon Event ID 6 (Driver Loaded)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected service creation events (Event ID 7045) loading known vulnerable drivers (e.g., BdApiUtil.sys, aswArPot.sys) from unusual directories like AppData or Temp.Windows System Event Log (Event ID 7045)Privilege EscalationLow
Monitor for command-line execution of 'sc create' or 'sc start' targeting kernel drivers immediately followed by the termination of security-related processes.Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)Defense EvasionMedium
Hunt for the execution of known anti-rootkit tools (e.g., GMER, PC Hunter) on endpoints where they are not part of the standard administrative toolkit.Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)Defense EvasionLow

Control Gaps

  • Over-reliance on driver blocklists (Microsoft Vulnerable Driver Blocklist) which can be bypassed or lag behind newly discovered vulnerable drivers.
  • Inability to prevent execution of tools signed with stolen or expired certificates if revocation checks fail or are bypassed.

Key Behavioral Indicators

  • Service creation for kernel drivers from user profiles
  • Execution of taskkill or net stop targeting AV/EDR services
  • Unexpected reboot into Safe Mode

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Implement and enforce Microsoft's recommended driver block rules to prevent known vulnerable drivers from loading.
  • Monitor for and block the hashes of known EDR killers and abused drivers provided in the IoCs.

Infrastructure Hardening

  • Enable Windows Defender Application Control (WDAC) or similar application whitelisting to restrict the execution of unapproved binaries and drivers.
  • Ensure LSA Protection and Tamper Protection are enabled on all endpoint security agents.

User Protection

  • Restrict local administrative privileges to prevent unauthorized users or compromised accounts from loading kernel drivers or modifying system services.

Security Awareness

  • Train SOC analysts to treat any alert related to EDR tampering or unexpected driver loading as a critical, high-priority incident requiring immediate containment.

MITRE ATT&CK Mapping

  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1569.002 - System Services: Service Execution
  • T1543.003 - Create or Modify System Process: Windows Service
  • T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)
  • T1068 - Exploitation for Privilege Escalation
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1562.009 - Impair Defenses: Safe Mode Boot
  • T1070.004 - Indicator Removal: File Deletion
  • T1562.006 - Impair Defenses: Indicator Blocking
  • T1027 - Obfuscated Files or Information
  • T1027.009 - Obfuscated Files or Information: Embedded Payloads
  • T1027.002 - Obfuscated Files or Information: Software Packing
  • T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
  • T1140 - Deobfuscate/Decode Files or Information
  • T1490 - Inhibit System Recovery
  • T1489 - Service Stop

Additional IOCs

  • File Hashes:
    • 75F85CAEA52FE5A124FA77E2934ABD3161690ADD (SHA1) - The ABYSSWORKER rootkit (smuot.sys)
    • 1E7567C0D525AD037FBBBAFB643BF40541994411 (SHA1) - EDR-Freeze EDR killer
    • A9F37104D2D89051F34E1486BC6EBFF44D147E67 (SHA1) - DLKiller EDR killer
    • 570161A420992280A8ECED253EDC800296B72D1C (SHA1) - HexKiller EDR killer
    • BBE0E14BC7ECE8A7A1236D5A12E30476CFCEF110 (SHA1) - SevexKiller EDR killer
    • 31CE76931CA09D3918B34E3187703BC72E6D647E (SHA1) - TfSysMon-Killer EDR killer
    • B9820BF443C375577CEEF44B9491E3A569A1B9E8 (SHA1) - dead-av EDR killer
    • 34270B07538B7357CF10D0D5BDA68F234B602F93 (SHA1) - GhostDriver EDR killer
    • 09735640D6634B0303755A9FD3B2BC80F932126C (SHA1) - SmilingKiller EDR killer
    • 85BC0A4F67522D6AC6BE64D763E65A2945EC5028 (SHA1) - kill-floor EDR killer
    • BC65ED919988C8E4B8F5A1CD371745456601700A (SHA1) - DemoKiller EDR killer (demo.exe)
    • C881F43C7FE94A6F056A84DA8E9A32FE56D8DD9C (SHA1) - ThreatFire System Monitor vulnerable driver (TfSysMon.sys)
    • 67D17CA90880B448D5C3B40F69CEC04D3649F170 (SHA1) - Rentdrv2 vulnerable driver
    • F329AE0FDF1E198BEA6BA787E59CB73F90714002 (SHA1) - USB-C Power Delivery Firmware Update Utility vulnerable driver (data.sys)
    • 82ED942A52CDCF120A8919730E00BA37619661A3 (SHA1) - ThrottleStop vulnerable driver
    • CE1B9909CEF820E5281618A7A0099A27A70643DC (SHA1) - Custom rootkit used by CardSpaceKiller (hlpdrv.sys)
    • 7310D6399683BA3EB2F695A2071E0E45891D743B (SHA1) - ITM SYSTEM File Filter vulnerable driver (probmon.sys)
    • C85C9A09CD1CB1691DA0D96772391BE6DDBA3555 (SHA1) - Beijing Rising Network Security vulnerable driver (kl.sys)
    • 6EE94F6BDC4C4ED0FFF621FEC36C70FF093659ED (SHA1) - OCular THelper vulnerable driver (msupdate.sys)
    • BA14C43031411240A0836BEDF8C8692B54698E05 (SHA1) - MS4Killer EDR killer
    • 127B50C8185986A52AE66BF6E7E67A6FD787C4FC (SHA1) - CardSpaceKiller EDR killer (version.dll)
    • A3BDB419703A70157F2B7BD1DC2E4C9227DD9FE8 (SHA1) - CardSpaceKiller EDR killer (0th3r_av5.exe)
    • 4A57083122710D51F247367AFD813A740AC180A1 (SHA1) - CardSpaceKiller EDR killer
    • DB8BCB8693DDF715552F85B8E2628F060070F920 (SHA1) - CardSpaceKiller EDR killer (HwRwDrv.sys)
  • File Paths:
    • C:\Users\Default\AppData\Local\Microsoft\Windows\ntfs.bin - File path used by SmilingKiller/kill-floor to drop embedded drivers
    • C:\Users\Default\AppData\Local\Microsoft\Windows\wamsdk.sys - File path used by SmilingKiller/kill-floor to drop embedded drivers
  • Command Lines:
    • Purpose: Terminate security product processes | Tools: taskkill | Stage: Defense Evasion | taskkill /f /im
    • Purpose: Stop security product services | Tools: net | Stage: Defense Evasion | net stop
    • Purpose: Delete security product services | Tools: sc | Stage: Defense Evasion | sc delete
    • Purpose: Create a service for a vulnerable driver | Tools: sc | Stage: Privilege Escalation / Defense Evasion | sc create aswArPot.sys type=kernel binpath=
    • Purpose: Start a vulnerable driver service | Tools: sc | Stage: Privilege Escalation / Defense Evasion | sc start aswArPot.sys
    • Purpose: Create a service for a vulnerable driver | Tools: sc | Stage: Privilege Escalation / Defense Evasion | sc create K7RKScan type= kernel binpath=
    • Purpose: Start a vulnerable driver service | Tools: sc | Stage: Privilege Escalation / Defense Evasion | sc start K7RKScan

Related